Hi all, I want to bring to your attention, that we had recently some discussion around our current strategy of backporting cve related fixes to TomEE 9.1.x [1].
We are in a situation, in which the Tomcat community has decided to stop Tomcat 10.0.x (Servlet 5) work and only support Tomcat 9, 10.1 (Servlet 6) and onwards. Therefore, we do not get any bug fixes, improvements and need to manually backport potential security fixes; we are actually in a fight, we cannot really win. A few might ask, why we can't just upgrade to Tomcat 10.1.x with TomEE 9.1.x. The answer is simple: TomEE 9.1.x targets EE9.1, which requires us to stay in line with Servlet 5. The bad thing is, that between Servlet 5 and Servlet 6, a few methods got removed making it backwards incompatible with Servlet 5. So what are our options. From my pov, I can imagine the following: (1) Continue to backward CVE fixes and miss out important bug fixes, improvements and stuff. (2) Fork Tomcat from 10.1.x and re-add the dropped methods (from Servlet 5) in order to stay up-2-date and remaining Servlet 5 compatible (Tomcat community won't do that, see [2]). Romain posted the actual diff here: [3]. Downside is, that we might break the TCK signature test with this adjustment, so no TCK compliance anymore. (Don't actually speaking about the TCK itself, which might also break due to some changes in Servlet 6 in the way cookies are processed, etc.) (3) We officially drop v9 (with a perspective, i.e. end of the year and continue (1) until that date) and release a 10.0.0 within the next couple of months well knowing that it might not pass the full TC because we are in a hybrid state with CXF, etc. While I like the idea of (2), it will scatter our sparse resources even more, because we need to release a forked Tomcat and I would personally not really be happy to invest my time into maintaining a Tomcat fork because it is time, I would like to invest into TomEE 10.x and it's other dependencies. I am really keen to get some feedback on this discussion because we somehow need to decide what we want to do with 9.1.x anyway. Even if a possible outcome of this discussion is, that we just stay with (1). Gruß Richard [1] https://github.com/apache/tomee/pull/1114 [2] https://lists.apache.org/thread/7mp6lw41qvtx6q3nf1rpqdv7zndb5xs5 [3] https://lists.apache.org/thread/4nffbsvp6202pydr7mmyrsq6rqhgdkd6
